Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Powershell Active Directory: Show treeview of nested Group members downstream hierarchy

This script is second part of my earlier article Powershell Active Directory: Show treeview of User or Group memberof hierarchy, earlier was showing upstream tree view of nested MemberOf groups. After writing the first script I got another requirement to show treeview in reverse order, Group members hierarchy in downstream order from Members tab. To write this script I have made very few changes to my earlier script.

Active directory domain controller, powershell, dsa.msc, users and computers, members tab, fetch group, ad group

To use it use cmdlet .\Show-ADGroupTreeViewMembers -GroupName Administrators. This only accept GroupName parameter, It shows only groups in tree, It will not show Users as there could be hundred to thousand user account in the branches as it will make little hard if you want to troubleshoot nested group permissions.

Related articles
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY

Microsoft windows powershell, active directory domain controller, module, get-adgroup, get-aduser, get-adgroupmember, members, memberof, select-object, where-object, show-adgrouptreeviewmembers,.png

This script can be downloaded from GitHub as well as from here.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#
function Show-ADGroupTreeViewMembers {
#requires -version 4
<#
.SYNOPSIS
    Show DownStream tree view hierarchy of members groups recursively of a Active Directory Group.
.DESCRIPTION
    The Show-ADGroupTreeViewMembers list all nested group list of a AD user. It requires only valid parameter AD username, 
.PARAMETER GroupName
    Prompts you valid active directory Group name. You can use first character as an alias, If information is not provided it provides 'Domain Admins' group information.
.INPUTS
    Microsoft.ActiveDirectory.Management.ADGroup
.OUTPUTS
    Microsoft.ActiveDirectory.Management.ADGroup
    Microsoft.ActiveDirectory.Management.ADuser
.NOTES
    Version:        2.0
    Author:         Kunal Udapi
    Creation Date:  10 September 2017
    Purpose/Change: Get the nested downstream group info of member
    Useful URLs: http://vcloud-lab.com
.EXAMPLE
    PS C:\>.\Show-ADGroupTreeViewMembers -GroupName 'Administrators'

    This list all the upstream memberof group of a Group.
#>

[CmdletBinding(SupportsShouldProcess=$True,
    ConfirmImpact='Medium',
    HelpURI='http://vcloud-lab.com')]
Param
(
    [parameter(Position=0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid AD Group')]
    [alias('Group')]
    [String]$GroupName = 'Domain Admins',
    [parameter(DontShow=$True)]
    [alias('U')]
    $UpperValue = [System.Int32]::MaxValue,
    [parameter(DontShow=$True)]
    [alias('L')]
    $LowerValue = 2
)
    begin {
        if (!(Get-Module Activedirectory)) {
            try {
                Import-Module ActiveDirectory -ErrorAction Stop 
            }
            catch {
                Write-Host -Object "ActiveDirectory Module didn't find, Please install it and try again" -BackgroundColor DarkRed
                Break
            }
        }
        try {
            $Group =  Get-ADGroup $GroupName -Properties members -ErrorAction Stop 
            $Members = $Group | Select-Object -ExpandProperty members 
            $rootname = $Group.Name
        }
        catch {
            Write-Host -Object "`'$GroupName`' groupname doesn't exist in Active Directory, Please try again." -BackgroundColor DarkRed
            $result = 'Break'
            Break
        }
    }
    Process {
        $Minus = $LowerValue - 2
        $Spaces = " " * $Minus
        $Lines = "__"
        "{0}{1}{2}{3}" -f $Spaces, '|', $Lines, $rootname        
        $LowerValue++
        $LowerValue++
        if ($LowerValue -le $UpperValue) {
            foreach ($member in $Members) {
                try {
                    $UpperGroup = Get-ADGroup $member -Properties Members, Memberof -ErrorAction Stop
                }
                catch {
                    Continue
                }
                #$LowerGroup = $UpperGroup |
                $LowerGroup = $UpperGroup | Get-ADGroupMember
                $LoopCheck = $UpperGroup.memberof | ForEach-Object {$_ -contains $lowerGroup.distinguishedName}
                if ($LoopCheck -Contains $True) {
                    $rootname = $UpperGroup.Name
                    Write-Host "Loop found on $($UpperGroup.Name), Skipping..." -BackgroundColor DarkRed
                    Continue
                }
                #"xxx $($LowerGroup.name)"
                #$Member
                #"--- $($UpperGroup.Name) `n"
                Show-ADGroupTreeViewMembers -GroupName $member -LowerValue $LowerValue -UpperValue $UpperValue
            } #foreach ($member in $MemberOf) {
        }
    } #Process
}

  Show-ADGroupTreeViewMembers -GroupName Administrators

Useful Articles
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file
Active Directory Powershell: Aduser A value for the attribute was not in the acceptable range of values
Powershell Active Directory: ADGroup Managedby - Checkbox Manager can update membership list

Go Back



Comment

Blog Search

Page Views

11240175

Follow me on Blogarama